github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-03-17 18:22:14 +00:00
Code Issues Projects Releases Wiki Activity
Files
50fab831735d6fa083fee255aa9babe44cc71fab
kata-containers/docs/how-to/privileged.md
Fabiano Fidêncio 5c0269881e tests: Make editorconfig-checker happy 
- Trim trailing whitespace and ensure final newline in non-vendor files
- Add .editorconfig-checker.json excluding vendor dirs, *.patch, *.img,
  *.dtb, *.drawio, *.svg, and pkg/cloud-hypervisor/client so CI only
  checks project code
- Leave generated and binary assets unchanged (excluded from checker)

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-10 21:58:28 +01:00

3.1 KiB
Raw Blame History

Privileged Kata Containers

Warning

Whilst this functionality is supported, it can decrease the security of Kata Containers if not configured correctly.

Kata Containers supports creation of containers that are "privileged" (i.e. have additional capabilities and access that is not normally granted).

Enabling privileged containers without host devices

Tip

When Kata Containers is installed through kata-deploy, this mitigation is configured out of the box, hence there is no action required in that case.

By default, a privileged container attempts to expose all devices from the host. This is generally not supported in Kata Containers as the container is running a different kernel than the host.

Instead, the following sections document how to disable this behavior in different container runtimes. Note that this mitigation does not affect a container's ability to mount guest devices.

Containerd

The Containerd allows configuring the privileged host devices behavior for each runtime in the containerd config. This is done with the privileged_without_host_devices option. Setting this to true will disable hot plugging of the host devices into the guest, even when privileged is enabled.

Support for configuring privileged host devices behaviour was added in containerd 1.3.0 version.

See below example config:

[plugins]
  [plugins.cri]
    [plugins.cri.containerd]
       [plugins.cri.containerd.runtimes.runc]
         runtime_type = "io.containerd.runc.v2"
         privileged_without_host_devices = false
       [plugins.cri.containerd.runtimes.kata]
         runtime_type = "io.containerd.kata.v2"
         privileged_without_host_devices = true
         [plugins.cri.containerd.runtimes.kata.options]
           ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration.toml"

CRI-O

Similar to containerd, CRI-O allows configuring the privileged host devices behavior for each runtime in the CRI config. This is done with the privileged_without_host_devices option. Setting this to true will disable hot plugging of the host devices into the guest, even when privileged is enabled.

Support for configuring privileged host devices behaviour was added in CRI-O 1.16.0 version.

See below example config:

[crio.runtime.runtimes.runc]
  runtime_path = "/usr/local/bin/crio-runc"
  runtime_type = "oci"
  runtime_root = "/run/runc"
  privileged_without_host_devices = false
[crio.runtime.runtimes.kata]
  runtime_path = "/usr/bin/kata-runtime"
  runtime_type = "oci"
  privileged_without_host_devices = true
[crio.runtime.runtimes.kata-shim2]
  runtime_path = "/usr/local/bin/containerd-shim-kata-v2"
  runtime_type = "vm"
  privileged_without_host_devices = true
Reference in New Issue View Git Blame Copy Permalink